Compiler discards const stack variable declarations and generates segfaulting code #19011

mikastiv · 2024-02-20T02:09:48Z

Zig Version

0.12.0-dev.2811+3cafb9655

Steps to Reproduce and Observed Behavior

I'm on Windows 10

The code pasted below will segfault on try vertices.append(v0); in one of the ArrayList grows. This seems to be related to parameter-reference-optimization because the code will pass the arguments by pointer, which will be freed when it's time to copy them. The strange thing here is that by changing the variable declarations from const to var, the generated code is now correct and passes the arguments by value. There is also another workaround where we call try vertices.appendSlice(&.{ v0, v1 }); This happens in both debug and release fast

const std = @import("std");

pub fn main() !void {
    var gpa = std.heap.GeneralPurposeAllocator(.{}){};
    defer _ = gpa.deinit();

    var arena = std.heap.ArenaAllocator.init(std.heap.page_allocator);
    defer arena.deinit();

    const allocator = gpa.allocator();
    // Using arena allocator also is a workaround
    // const allocator = arena.allocator();

    var vertices = std.ArrayList([3]f32).init(allocator);
    defer vertices.deinit();

    for (0..1000) |i| {
        if (i > 2) {
            // Generates segfault
            const v0 = vertices.items[vertices.items.len - 3];
            const v1 = vertices.items[vertices.items.len - 1];
            try vertices.append(v0);
            try vertices.append(v1);

            // 1st workaround
            // var v0 = vertices.items[vertices.items.len - 3];
            // var v1 = vertices.items[vertices.items.len - 1];
            // _ = &v0;
            // _ = &v1;
            // try vertices.append(v0);
            // try vertices.append(v1);

            // 2nd workaround
            // const v0 = vertices.items[vertices.items.len - 3];
            // const v1 = vertices.items[vertices.items.len - 1];
            // try vertices.appendSlice(&.{ v0, v1 });
        }

        try vertices.append(.{ 0, 0, 0 });
    }

    std.log.err("count: {d}", .{vertices.items.len});
}

Expected Behavior

No segfault in the generated code

The text was updated successfully, but these errors were encountered:

mikastiv · 2024-02-20T03:26:13Z

Potential duplicates #5973, #5455

Vexu · 2024-02-20T13:49:46Z

Using -fno-llvm -fno-lld doesn't segfault so this is likely caused by an optimization in the LLVM backend.

jacobly0 · 2024-02-20T21:28:15Z

v0 is passed by reference to the actual element in the items slice, which is invalidated by the array list resize, causing the actual append to crash.

joek13 · 2025-05-18T06:27:35Z

I ran into the same issue. Here's a slightly more concise repro:

const std = @import("std");

const Foo = struct {
    inner: u8
};

pub fn main() !void {
    var gpa = std.heap.GeneralPurposeAllocator(.{}){};
    defer _ = gpa.deinit();
    const allocator = gpa.allocator();

    var list = std.ArrayList(Foo).init(allocator);
    defer list.deinit();

    try list.append(Foo { .inner = 42 });

    for(0..1000) |_| {
        const v = list.items[list.items.len - 1];
        try list.append(v);
    }
}

% zig version
0.14.0
% zig build-exe repro.zig && ./repro
Segmentation fault at address 0x10288007f
aborting due to recursive panic
zsh: abort      ./repro

I was able to work around the segfault by declaring v as a var:

var v: Foo = undefined;
for(0..1000) |_| {
   v = list.items[list.items.len - 1];
   try list.append(v);
}

Here's a link to Compiler Explorer that shows the generated IR in each case. In the example, the compiler seems to elide the copy and directly pass a pointer to append.

Block2:
  %23 = extractvalue { ptr, i64 } %14, 0
  %24 = getelementptr inbounds %example.Foo, ptr %23, i64 %20
  %25 = call fastcc i16 @"array_list.ArrayListAligned(example.Foo,null).append"(ptr %0, ptr nonnull align 8 %3, ptr nonnull readonly align 1 %24)
  %26 = icmp ne i16 %25, 0
  br i1 %26, label %TryRet1, label %TryCont1

The workaround causes us to copy the value, as desired:

Block2:
  %34 = extractvalue { ptr, i64 } %25, 0
  %35 = getelementptr inbounds %example.Foo, ptr %34, i64 %31
  call void @llvm.memcpy.p0.p0.i64(ptr align 1 %3, ptr align 1 %35, i64 1, i1 false)
  %36 = call fastcc i16 @"array_list.ArrayListAligned(example.Foo,null).append"(ptr %0, ptr nonnull align 8 %5, ptr nonnull readonly align 1 %3)
  %37 = icmp ne i16 %36, 0
  br i1 %37, label %TryRet1, label %TryCont1

mikastiv added the bug Observed behavior contradicts documented or intended behavior label Feb 20, 2024

Vexu added the backend-llvm The LLVM backend outputs an LLVM IR Module. label Feb 20, 2024

Vexu added this to the 0.13.0 milestone Feb 20, 2024

Vexu mentioned this issue Mar 8, 2024

ArrayList segfault when appending large value #19215

Closed

Vexu added the miscompilation The compiler reports success but produces semantically incorrect code. label May 10, 2024

andrewrk modified the milestones: 0.14.0, 0.14.1 Mar 1, 2025

andrewrk modified the milestones: 0.14.1, 0.15.0 Apr 15, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Compiler discards const stack variable declarations and generates segfaulting code #19011

Compiler discards const stack variable declarations and generates segfaulting code #19011

mikastiv commented Feb 20, 2024

mikastiv commented Feb 20, 2024

Vexu commented Feb 20, 2024 •

edited

Loading

jacobly0 commented Feb 20, 2024

joek13 commented May 18, 2025

Compiler discards const stack variable declarations and generates segfaulting code #19011

Compiler discards const stack variable declarations and generates segfaulting code #19011

Comments

mikastiv commented Feb 20, 2024

Zig Version

Steps to Reproduce and Observed Behavior

Expected Behavior

mikastiv commented Feb 20, 2024

Vexu commented Feb 20, 2024 • edited Loading

jacobly0 commented Feb 20, 2024

joek13 commented May 18, 2025

Vexu commented Feb 20, 2024 •

edited

Loading